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ABSTRACT 



A system for screening data packets transmitted between a 
network to be protected, such as a private network, and 
another network, such as a public network. The system 
includes a dedicated computer with multiple (specifically, 
three) types of network ports: one connected to each of the 
private and public networks, and one connected to a proxy 
network that contains a predetermined number of the hosts 
and services, some of which may mirror a subset of those 
found on the private network. The proxy network is isolated 
from the private network, so it cannot be used as a jumping 
off point for intruders. Packets received at the screen (either 
into or out of a host in the private network) are filtered based 
upon their contents, state information and other criteria, 
including their source and destination, and actions are taken 
by the screen depending upon the determination of the 
filtering phase. The packets may be allowed through, with or 
without alteration of their data, IP (internet protocol) 
address, etc., or they may be dropped, with or without an 
error message generated to the sender of the packet. Packets 
may be sent with or without alteration to a host on the proxy 
network that performs some or all of the functions of the 
intended destination host as specified by a given packet. The 
passing through of packets without the addition of any 
network address pertaining to the screening system allows 
the screening system to function without being identifiable 
by such an address, and therefore it is more difficult to target 
as an IP entity, e.g. by intruders. 

12 Claims, 7 Drawing Sheets 
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SYSTEM FOR PACKET FILTERING OF 
DATA PACKETS ATA COMPUTER 
NETWORK INTERFACE 

This application is a divisional application of U.S. patent 5 
application Ser. No. 08/444,351, filed May 18, 1995 now 
U.S. Pat. No. 5,802,320. 

BACKGROUND OF THE INVENTION 

The present invention relates to screening of data packets 
sent from one computer network to another. There are 10 
numerous ways for a user on a public network to interact 
with a host machine on a private network, such as in a telnet 
session, an ftp (file transfer protocol) session, by email 
(electronic mail), and so on. In addition, computers on a 
given target network may be requested to carry out certain 15 
operations by users outside the network, besides directly 
connecting the requester's machine. 

A conventional internet work 10 is shown in FIG. 1, 
including a private network 20, a public network 30, and ^ 
another private network 40. If the private networks 20 and 
40 are not provided with firewalls, they are quite vulnerable 
to intruders. 

FIG. 3 shows an internet work 110 where a private 
network 120 can communicate with another private network ^ 
140 via a router or bridge 120, which is controlled by logic 
(such as a circuit, or typically a processor with associated 
memory) 150 which controls network interfaces 160 and 
170. When a data packet arrives from network 140 
addressed to a host and specifying a port on network 120, it 3Q 
is mapped to that host and port by unit 180, and transmitted 
via interface 160 to the appropriate destination on the 
network 120. FIG. 3 is also not provided with any security, 
and hence is available for targeting. 

Computer firewalls have therefore been developed, as in 35 
the system 50 shown in FIG. 2, where private networks 60 
and 100 can communicate with one another via public 
network 80, but are provided with firewalls 70 and 90, 
respectively. A problem with conventional computer fire- 
walls (and routers or bridges such as bridge 130 in FIG. 3) 40 
in use today is that they participate in IP (Internet Protocol) 
transactions, and in doing so generate information identify- 
ing them as IP machines, which makes them visible for 
targeting by intruders. For a detailed discussion of this and 
other types of problems with firewalls, see, e.g. the reference 45 
Firewalls and Internet Security by Cheswick & Bellovin 
(Addison Wesley 1994), sad Internet Firewalls and Network 
Security by Siyan & Hare (New Riders Publishing 1995), 
which are incorporated herein by reference. 

A firewall and packet filtering system should ideally be 50 
invisible to intruders so as to help minimize the number of 
ways in which it can be targeted, while nonetheless filling 
functions that are appropriate. 

Current network security solutions often involve modifi- 
cations to the networks in addition to the provision of ss 
firewalls, which can be complicated and expensive. A sys- 
tem is needed that can be connected to a network substan- 
tially without altering it, but providing security against, 
breaches from outside the protected network. 

Packet filtering systems are used today to provide security <so 
for networks, but conventionally act as routers, having one 
port or network interface coupled to the protected network 
and another port to another network or the Internet. As 
routers, such systems are responsive to IP commands, and in 
particular may respond to data packets by using their IP 65 
addresses. This allows intruders to target them for charac- 
terization and attack. 
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The same type of targeting may be accomplished when 
addresses within a protected network are known to users 
outside the network. It would therefore by advantageous to 
provide a system that can respond to data packets from 
outside a network without revealing IP address information 
about either the filtering system or about hosts within the 
network. 

SUMMARY OF THE INVENTION 

The present invention is directed to a screening system 
that acts as both a firewall in the conventional sense and a 
signatureless packet filtering system. A screen is positioned 
on the network connection between, for example, a public 
network and a private network that is to be protected from 
targeting for attack. A port or network interface is provided 
for each of the two networks, and one or more additional 
ports are provided to one or more proxy networks. 

The screening system includes a packet filtering sub- 
system or module, which inspects each incoming packet and 
sends it to an engine, which determines, based upon the 
packet inspector and other information, what actions should 
be taken on the packet. The packet is passed to an actions 
subsystem or module, which executes the appropriate 
actions. 

If the packet's intended destination is a host machine on 
the private network, it may instead be sent aside to a 
preconfigured host machine on the proxy network, which 
executes appropriate operations that the actual host would 
execute, or different operations as desired, The proxy host 
generates responses using the IP address of the actual host, 
so the existence of the proxy network is not detectable. The 
screening system is not a router and hence does not have its 
own IP address, so it too cannot be detected in this manner, 
and is not subject to such operations as trace_route, ping, 
finger, and so on. 

The screening system requires no modification to the 
private or public networks; instead, it can be connected 
in-line on the network connection, a proxy network can be 
set up with as many hosts as desired, and security is thereby 
provided without reconfiguring the private network or alter- 
ing the network software. 

The screening system can be preconfigured to carry out a 
wide range of other actions on the packets, all subject to 
predetermined criteria, such as dropping them with or with- 
out an error message, logging them, altering them or their 
headers, and so on. Each of these and other actions can be 
carried out while maintaining the anonymity of the screen- 
ing system. 

BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 is a block diagram of a system connecting two 
computer networks via a public network. 

FIG. 2 is a block diagram of a system connecting two 
computer networks via a public network, using intervening 
firewalls. 

FIG. 3 shows a conventional system including a bridge 
between two computer networks. 

FIG. 4 is a block diagram of an exemplary connecdon 
from a private network and a public network to another 
private network, via firewalls. 

FIG. 5 is a block diagram of computer internet work 
including a packet screening system according to the inven- 
tion. 

FIG. 6 is a functional block diagram of a packet screening 
system of the invention on an internetwork. 
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FIG. 7 is a block diagram of an alternative embodiment of via multiple screens 340 of the invention to one another and 

the packet screening system of the invention. to any desired number M of public networks. Thus, an NxM 

FIG. 8 is a block diagram of hardware for implementing screening system may be formed; in the example of FIG. 5, 

the invention. N=>2 and M«l. See also the discussion below of FIG. 8. 

FIG. 8 A is a diagram of another embodiment of the 5 11 k equally possible to build a system of the invention 

invention without the proxy network, where N«M=»1, and where data 

FIG. 9 is functional block diagram of the invention. P£ kets would ,hrcm S h witho " 1 aIterat j on of the u IP 

r, , * , . * r i address in one or both directions, or with some alteration but 

10-U *rc flow charts of the method of packet without addi Ip 0f other Qetwork addrcss of ^ 

screening according to a preferred embodiment of the inven- 10 screenillg syslem itself. Such a system is described below in 

tl0n - connection with FIG. 8A. 

DESCRIPTION OF THE PREFERRED FIG. 6 shows greater detail of the screen 340, which may 

EMBODIMENTS ^e a un ^" or rnultiprocessorbased system; in this 

embodiment, a single processor 390 is shown, coupled to 

The Hardware of the Invention 15 one or more conventional memories (for example, RAM, 

_» _ j |^ . . ROM, EPROM, disk storage, etc.) 400, which store(s) the 

FIG. 4 shows an internetwork system appropnate for mstructions necessary to execute the operations carried out 

implementation of the present invention. A public network b the itlventioa ^ network mterfaces 41<M25 are con- 

200 (or network of networks, such as the Internet) can trolled b me processor 390 in conventiona i fashion . 

communicate with a pnvate network or internetwork 210, 20 ^ . . . , 1W . n . , , 

which includes by way of example an engineering domain . ™ e P nvate , network ^f^™*** d^erent 

network 220 and a corporate domain network 230. A con- hos f : ™, T P " ," e 3 mal1 hoS, ^ 60; an *? < file 

ventional firewall 240 is positioned as shown between the 2 g0Vemmg h ftp ^ w ^ 

1 -»™ j ,t . „ A ,- AA VT . t . . 4 . hosts 380 for other services, such as a WWW (World-Wide 

network 220 and the networks 230 and 200. Note that the X17 , . , 4 c , . 9 , . . . x \ , 

fi n -ii * * j u *** 1 1 . • Web) server, hosts for rlogin (remote login) and rshell, and 

firewall may, as illustrated, be positioned between a given 25 7 v b J 

private network (220) and a public network (200), and also 

between the private network 200 and other networks (such ^ P' 0 *? network 430 includes P™*? ( or virtual ) hosts 

as 210) which on its own private internetwork. The net- 435 > wfaich P^ferably are separate computer systems. In the 

working hardware and software can be any suitable conven- Preferred embodiment, the proxy network 430 includes a 

tional networking system, such as Ethernet. 30 virtual host mirronQ g ( or as P™xy for) each of a 

M , jn , £ , . .. subset (or all) of the hosts found on the private network 330, 

Firewall 240 may be configured as a single machine or as v ' , , , « , r 

,. J u jT* .1. ■ ■ j . 1 , in a manner to be described below, 

separate machines, one handling the incoming data packets 0.1, - , , , • . . , . 

and the other handling the outgoing data packets from Such V1 f ual hos f™ the embodiment shown include a 

network 220, as desired by the implementer. In addition, P' 0 ^, mai1 ™ 44 °> a .P ro ^ ft P ™ f°> othe ' 

another firewall specifically for the corporate domain net- 35 virtual hosts 460, with a virtual (proxy) host for each actua^ 

work 230 would normally be used, but is not illustrated in host desired to be duplicated which may include some or all 

this figure actual hosts. The proxy hosts are virtual in the sense 

A ' , . . ,~ , , . that they are not the actual targeted hosts 360-380, but rather 

™ P transmltted fr ° m „ Clth " ° f th ? ne i Wori ^ mimic the behavior of the those hosts; but they do represent 

200 or 230 travel via connections 300 or 280 to the firewall actual hardware and/or software in the nctwork . 

240, which maybe : conventional except m the respectscoted Hos(s akQ ^ ^ ar£ 

below. Firewall 240 passes allowed data packets via con- , r . . . 7- A . *\ / 

* en t iU *■ i network. For instance, the proxy network 430 may include 

nection 250 to the network 220. AA . ' u f : , 7 

a WWW server 445 which is unique to the proxy server, i.e. 

likewise, data packets from network 220 addressed to ^ not merely a mirror or proxy for a www the 

destinations within network 200 or network 230 are trans- 45 nelwork 330 [n this case? when a user hom network 350 

mitted over connection 270 to the firewall 240, which passes requests a connection to http: // 

packets as requested, subject to its security provisions, via www.<private.network>.com, he/she will be connected to 

connection 310 (if to network 200) or connection 290 (if to ww servcr 445 0ther sccvm 455 uniquc to ^ proxy 

network 230). Connections 250 and 270-310 may all be network 430 may also be provided, 

conventional network connections, for example cables, fiber 5Q A proxy netwQrk may ^ indude proxy hosts represent . 

optics, or the like. mg actua [ hosts, and/or proxy hosts with unique servers, in 

FIG. 5 is a logical block diagram of a packet screening any combination (zero to several of each). Whichever con- 
system 340 of the invention that can be implemented in an figuration is adopted, the private network 330 and the proxy 
internetwork system 320— which may alternatively be an network 430 together form a single logical or apparent 
internetwork such as that shown in FIG. 4; thus, firewall 240 5S network 345> i>c< a ^Ic apparent domain from the point of 
may be replaced by the screening system 340, which is v j ew 0 f outsiders, such as users on the public network 350, 
configured to handle all of the conventional firewall func- so tnat when a user attempts to access a service or host of the 
tions plus the screening functions described below. private network, the request may be shunted aside to the 

In FIG. 5, a single private network 330 is shown coupled proxy network to either a mirroring proxy host or a unique 

via a standard network interface 410 to the packet screening 60 proxy host, without any indication being given to the user 

system (or simply "screen") 340. In addition, public network that this has occurred. (Note that "proxy host" may mean 

350 is coupled to the screen 340 via another standard that it is a proxy for an actual host, or may mean that it is 

network interface 425. A third network, proxy network 430, a host on the proxy network, albeit a unique host.) 

is coupled to the screen 340 via network interface 420. FIG. 7 shows an alternate embodiment of the system of 

Using firewall connections such as those in FIGS. 4 and 65 the invention, namely a system 325 wherein the proxy 

5, any number N of private networks (which in this case may network 430 is implemented entirely in program instructions 

be considered to include the proxy network) may be coupled stored in the memory 400 of the screen 340, or as additional 
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processors) and memory(-ies) coatrolled by program decision to alter addresses or not can be made on a packet- 
instructions stored in one or more of the memories. In this by-packet basis according to the predetermined criteria, 
case, the screen 340 and proxy network 430 shown in FIG. [ n the system of the invention (including any of the 
6 constitute separate logical entities, but not separate physi- embodiments of 5-9), the source and destination addresses 
cal entities (except to the extent that the instructions, data, 5 that are provided with the packet would thus remain 
commands, signals, etc. are themselves separate physical (whether altered or not) the sole host identifiers or addresses 
entities). That is, the screen 340 and proxy network may be associated with the packet. In an alternative to this 
a single unit In this embodiment, the proxy hosts 360-380 embodiment, the screening system can substitute another 
are emulated by the program instructions, so that all of the network address for either the source address or the desti- 
behavior of any of the actual hosts may be mimicked by a 10 na ti 0 n address (or both), where the newly substituted 
virtual proxy host module. The remainder of the present address is either bogus or belongs to a host other than the 
disclosure is with reference to FIGS. 5-6, but should be screening system. In either case, no network address per- 
understood as applicable as well to the embodiment of FIG. taming to the screening system attaches to a data packet. 

As indicated above, the screening system preferably does 

FIG. 8 is a block diagram of the hardware for implement- 15 not even have m Ip Qr other network address, and while it 

ing the system of the invention, showing additional detail of can interpret IP protocol, it is configured not to respond to 

the screen 340 over that shown in FIGS. 5-6. Like- IP requests. Thus, the screening system avoids detection and 

numbered elements in the drawings are alike; so it will be hence targeting by intruders 

SeeD «l at f liti ° na l ly A h r S ^f 0 ™ 1 disk stor ; „ TTie operation of the system of FIG. 5-6 will be discussed 

age 500, and I/O (input/output) devices 510 such as a smart 20 ^ ^ ^ . q coQnection ^ nGS g _ n bu{ &hoM be 

card, keyboard, mouse, monitor, and/or other standard I/O mieKlood „ t0 al t0 the other embodiments of the 

devices arc proved as well as other desired conventual itwmtion . of m6 operations, act io ns or functions to be 

storage or memory 520. The instruc ions or program mod- 6xecuUd b ^ , em of ^ mventi ^ discussed ^ 

ules stored m memory 400 control the operation of the j u • t4 , „ . ■ i . , . . 

scree 340 25 hereinafter, may be implemented as program mstruc- 

screen . Hons or modules, hardware (e.g. ASICs or other circuitry, 

In one embodiment, the screen does not provide conven- ROMs, etc.), or some combination thereof, 
tional user-level access, e.g. does not include the standard 

keyboard and monitor. Hiis is a security feature to prevent General Handling of Data Packets 

meddling with the screen's configuration. In such an In pi Q 6 when , data ket arrives from ^ wic 

embodiment the screen is administered remotely through a netWQrk 350 addressed , 0 one of the hosls or servers 

dedicated network port with a secret IP (or other protocol) 360 _380, it is intercepted by the screen 340. Such a packet 

address that responds only to communications that are typ j ca l[ yw iii include a source address, a destination address, 

authenticated, encrypted and conforming to a dedicated, a requested operation and/or service, and other information, 

special-purpose administration protocol. Such a protocol, such ^ amessag6 (ifit ' s em ail), data to be operated on, and 

and the encryption and authentication schemes used, may be S o on 

developed and/oi selected by the screen administrator. ~ . . . . . .. . . . 

. ' The screen 340 includes instructions stored in memory 

As shown in FIG. 8 the screen 340 may include, instead 400 govcrning its coritrol 0 f actions to ^ taken on the 

of a single port 425 (as in FIG. 5) connected to a public mcomiri g (and outgoing) data packets. These instructions 

network, multiple ports 427 may be provided and are w mchlde a pr6detenmned xt of crit6ria based upon the 

connected to multiple public networks, respectively, and aforementioned contents of the data packets (source and 

may include one or more additional ports 415 connected to destination addresses, type of service, or other information 

otherpnvate network(s) 335. For instance, a private network obtainable from the data packets), and based upon other 

335 may be an engineering domain eng.sun.com in a information, such as: the time of day the packet was sent or 

company, while the private network 330 may be a corporate 45 ^ received b the ^ the state of the connection between 

domain corp.sun.con within the same company. The eng- the publjc and private networks (or the sta[e of the 

.sun.con and corp. sun con domains may communicate with uon t0 a partic ular host or service in the private network); 

one another (if desired, through an additional screen of the ^ more obliquely obtama ble information, such as whether 

invention or a conventional firewall, not shown) via con- the source address emanales from an expe c te d (inter) 

nechon 337 and form a single private internetwork 355, JQ network location. This may be done by determining whether 

while both these domains are protected against intrusions the source host ^ m ^ expected domain> or i( may be done 

from public networks) 350 by the screening system 340. by determ injng whether the packet arrives at a network 

pe proxy network 430 in this embodiment includes proxies ^rfzee expected for that packet. For instance, a packet 

for both the eng. sun. con and corp. sun. con domains. whose source address ^ identified ^ a host on private 

Thus, although in the remainder of the present discussion 55 network 330 should not arrive at network interface 425 (in 

it is assumed that the communications in question are FIG. 6) for the public network 350; if it does, this is an 

between a single public network 350 and a single private indication that an intruder may be attempting to breach the 

network 330, the features of the invention may equally well private network by masquerading as a trusted host. In this 

be applied to multiple private networks 330, 335 connected case, the screen 340 should drop the packet without reply, 

via the screen 340 to multiple public networks 350. 60 Such scrccnmg crit eria can be implemented by inspecting 

In the system 530 shown in FIG. 8A, a private network the contents of the data packets, by reference to external data 

540 is provided with a screening system 540 according to the (such as connection status and time of day), and by reference 

invention, but without the proxy network. In this and the to predefined tables or other information useful to imple- 

other embodiments, data packets are transmitted in either ment the criteria and stored in the memory 400. For instance, 

direction without alteration of their IP addresses, or alter- 65 a table may be provided of all source addresses allowed to 

natively with some alteration but without adding any IP or communicate with the network 330 correlated with the types 

other network address of the screening system itself. The of operations and services they are allowed to use, the times 



04/14/2004, EAST Version: 1.4.1 



5,8' 

7 

of day they are allowed to be connected or to pass packets, 
the expected locations for the sources (since a connection 
from an unexpected source may indicate a security 
problem), the number of times a source is allowed to 
commence a transaction, the total amount of time (e.g. per 
day or month) that a particular source is allowed to use 
services of the network 330, and so on. 

The application of the screening criteria lead the screen 
340 to take one or several predefined actions or each data 
packet; these actions are discussed below. 

Actions To Be Taken on Packets 

Actions are taken on each data packet by the screening 
system 340, based upon the foregoing criteria and the 
particular security protocol and level for that packet as 
determined in advance by the system administrator. For 
instance, it may be decided that no packets from (or to) any 
source that is not cleared in advance will be allowed in; in 
this case, packets from (or to) any other source will be 
dropped by the screen 340 without further action, either with 
or without an error message or other communication back to 
the sender; the sender will have no indication of what has 
happened to the packet, and there will be no "bounce" 
message. 

This helps prevent attacks on the system. For instance, if 
a trace„route packet is received, instead of following the 
normal IP procedure of responding to the packet the screen 
of the invention simply discards it, and the initiator of the 
trace_route command cannot in this way detect the screen. 

Topology hiding, i.e. changing the network address of the 
packet as it passes through the screen, can be done so that 
it appears that all the packets issuing from the screen come 
from the same host, even though they are Corning from a 
multiplicity of sources. This inhibits outsiders attempting to 
leverage off the knowledge they may gain by learning 
userid's, host names, etc. within the private network. 

Another action can, of course, be to simply pass the 
packet through to its destination, with or without some 
alteration based upon predetermined criteria. For instance, it 
may be decided in advance that all packets from a given host 
inside private network 330 will have the userid or host ID 
stripped off, and the packet may be passed through with 
some other IP source address. 

Encryption and decryption may also automatically be 
executed on certain data packets, with the criteria defined by 
the system administrator. Along with this it may be desirable 
to encapsulate a packet and give it a new header with a new 
IP address, as described for instance in applicant's copend- 
ing U.S. patent application entitled "System for Signature- 
less Transmission and Reception of Data Packets Between 
Computer Networks" by Aziz et al., Ser. No. 08/306,337 
filed Sep. 15, 1994, now U.S. Pat. No. 5,548,646, which is 
incorporated herein by reference. 

Packets will normally be logged in the log file storage 640 
(especially failed attempts or requests), including whatever 
information the system administrator decides is important, 
such as: time of day; source and destination addresses; 
requested operation(s); other actions taken with respect to 
each packet; number of requests to date from this source; 
and so on. 

Packets may also be counted, so a running total of the 
number processed in a certain time period is kept. 

Address rewriting is mentioned above; other contents of 
the packet may also be automatically be rewritten by pre- 
defined actions, including rewriting or otherwise altering 
data or messages carried by packets. 
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State information about the packets can also be 
determined, logged if desired, and altered by actions. For 
instance, TCP/IP (transmission control protocol/internet 
protocol) status can be affected as desired to establish, 

5 maintain or end a connection. In general, the screen can store 
information about what state each packet is in, and take 
actions dependent upon that state, including maintaining 
information about which packet was the initial request, 
which is the response, and so on; so prior events may have 

10 to be stored for some time, but in this case the screen can 
determine the entire history of a series of transactions and 
take appropriate actions at each time. 

An important action for security purposes is that of 
sending packets aside to the proxy network 430, which 

35 includes servers/hosts as discussed above that execute 
operations upon The packets as if the proxy hosts were the 
actual, intended destination servers. Upon execution of such 
operations, a proxy host may then return a given packet to 
the sender, i.e. send the packet off with the original sender's 

20 address as the destination. That packet will then go through 
the screen 340, which will subject it to the predetermined 
inspection criteria, just as when it was first received at the 
screen from, for instance, public network 350. The criteria 
will typically have different results for packets emanating 

25 from the proxy network 430 or the private network 330; for 
instance, it may be decided that no hosts outside the public 
network may institute telnet sessions to the private network, 
but that hosts inside the private network tray institute telnet 
sessions to hosts outside the private network. 

30 The fact that the screening system has no network address 
(EP or otherwise) enables it to carry out its security func- 
tions anonymously; notably, it does not act as a conventional 
network bridge. If the screen 340 provided the functions of 
a bridge, it would have to respond to IP commands, and 

35 hence would be detectable and targetable. 

The proxy network has the additional advantage of pre- 
venting outsiders from ever actually entering the private 
network 330; once a user has been allowed access or a 

4Q connection to a private network, it is much more difficult to 
restrict his/her actions than if no access at all is allowed. By 
provided duplicate or mirrored proxy functionality of some 
of the services of the private network in the proxy network, 
and/or functionality of unique host or other services 

45 (hardware and/or software) in the proxy network, the outside 
user's requests are met while invisibly preventing him/her 
from ever actually accessing the private network. 

In addition, it may be decided that no such sessions may 
be instituted at all from within the proxy network, which 

50 might compromise security of the private network, since 
packets from the proxy network in general will otherwise 
have lower hurdles to overcome to be retransmitted by the 
screen, since they will be more "trusted" by the system. 
Allowing the proxy network to initiate TCP sessions might 

5S allow a intruder from outside the system to effectively 
bypass the firewall security if he/she can figure out how to 
cause the proxy network to institute a TCP session instead of 
having to do so from the public network. 

It may be desirable to allow certain connections to be 

60 established from the private network to the public network, 
but not vice versa. For instance, TCP sessions (such as telnet 
or ftp) may be initiated by a user within the private network 
330 to the public network 350, while blocked from any 
public network machine to the private network. 

65 In general, all actions taken by the proxy network will 
pass the packets without identifying the proxy network or 
any host in it as a separate IP entity. Thus, the packets will, 
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upon being passed or returned after processing, either appear Operation of the Screening System 

actually to have been processed by the specified destination i^t^o m n a i_ ^ t_ • r j lj- 

< t * « ji i >>v tI _ .„ FIGS. 10-11 are now charts showing a preferred embodi- 

host (when in fact the proxy host has handled it), or they will , c , f iL . , . „ r , r , . . 

, v , . n *u - u ,t ment of the method of the invention. When a packet is sent 

be processed to remove, alter, or otherwise obscure the , . 4 c . . 4 i ien * - ■ j 

. . / u- u • *u j j f # , by a host on, for instance, public network 350, it is received 

destination address (which is the source address for return 5 ; . r . I , c ' r », np , onfl . 

i 4 \ i si m jj r *t_ u * at port (interface) 425 of the screen 340. See box 800 in FIG. 

packets). In either case, no IP address for the proxy host in L^,^,, tU ~ nf (Ud ^ 

. . 7 . . j j * i * 10. The packet inspector inspects the contents of the packet 

exists, and none is appended to any packets. , £ , , r /L 0 -Ju r 

' / r as described above (box 810). 

Functional Architecture of the Screening System If the packet is to be rejected, it is efficient to do this by 

FIG. 9 is a functional block diagram corresponding to 10 usin S the learnin § brid S e table ( of source addresses) 680. 

FIG. 8, but showing the functional modules that are used by 0ne embodiment suitable for implementing packet 

the screen 340. In the preferred embodiment these modules inspection is shown in the flow chart of FIG. 11, though 

arc, as indicated above, program instruction modules stored manv variations are possible. In this exemplary flow chart, 

in memory 400 and executed by processor 390. upon receipt of the packet (box 900), each of the packet 

The modules shown in FIG. 9 include a packet inspector ^ headers is inspected in order (box 910) i.e. the physical link 

600 with a process 602-606 for each of the network inter- ( such as IP )^ thc IP header (» 11 TCp( ?)> the TCP header (as 

faces 410-425; an engine 610 with rules 620; actions 630 t0 whlch P ort ^ designated and whether it's an existing or a 

and a log file storage 640; a packet state tabic 650, which is new connection); and so on. 

a conventional hash table; a cache fragmentation module At box 920 and 940, negative determinations lead to box 

670 (along with a fragmentation bypass as shown); a packet 20 930 for appropriate actions; positive determinations lead to 

fragmentor 660 coupled to each of the network interfaces box 950 > where the designated port is determined, and then 

410-425; and a learning bridge table 680. The connections to box 960, where it is determined whether this particular 

shown in FIG. 9 refer to logical (software) instructions or connection is allowed, taking into account the information 

hardware instructions or both, depending upon the particular that the packet inspector has at its disposal, including the 

physical implementation of the invention. 25 header information and also the packet contents, source, 

The packet inspector 600 includes the instructions for destination and the other information mentioned above, 

inspecting the contents of the incoming packets based upon If the connection is not allowed, it is blocked (box 970), 

the criteria discussed above. That is, each incoming data but otherwise it is allowed, and then the method tests 

packet, wherever it comes from, is subjected to packet whether it is an initial connection (box 980)— if so, then at 

inspection by the packet inspector 600. 30 box 990 the connection is established, and at box 995 

The engine 610 processes incoming packets, and passes information is stored in the state table 650 (see FIG, 9) to 

them to the actions 630 to execute the appropriate operations identify the new connection. If not, then the connection is 

on the packets, as discussed above. The actions modules 630 checked at box 1010, and any update information (e.g. new 

are the modules dedicated to performing these operations. 35 ^formation about the connection) is stored m table 650. 

The log file storage 640 is used to store information about From either ste P 990 or 1020 > me method proceeds to box 

the data packets received at the screen 340, as discussed 1000 > i e - retums to box 810 m FIG - 10 - 

above. The packet state table 650 is similarly used to store It will be appreciated as mentioned that FIG. 11 is but one 

information about states of the received packets. embodiment of myriad possible sequences of tests and 

The fragmentor 660 operates in a conventional manner to 40 operations that may be carried out in the packet inspection 

fragment packets that are larger than a predefined maximum P hase - ^ operations executed of FIG. 11 may be carried 

transmission unit (MTU). This may occur, for instance, out b Y the engine 600 based upon the results of the packet 

where the screen adds information to a packet so as to inspection (e.g. at boxes 920, 940, 960 and 980). 

increase its size past this allowable maximum. A fragmen- Proceeding to box 820 in FIG. 10, the packet is passed to 

tation cache 670 is used in conventional fashion to imple- 45 the engine 610, which executes the appropriate predefined 

ment fragmentation and reconstruction of packets. Fragmen- operations discussed above. Typically, for firewall/screen 

tation packets typically include primarily or only an IP 340 this will involve blocking or passing the packets, where 

header information and data (in particular, no port number is if they are passed they may be turned aside to be operated 

included), and the screen 340 will rebuild the packets as upon by a proxy host in the proxy network 430. 

necessary, using the fragmentation cache. That is, the first 50 The current packet is thus passed to the actions module 

fragmented packet is stored in the fragmentation cache, as 630 for execution of the appropriate actions (box 830), and 

are subsequent fragments, until the last fragmented packet is at box 840 the engine determines whether there are addi- 

received, and the packet is then reconstructed. tional actions to be taken, based upon the packet inspector 

The fragmentation bypass 675 is used by the packet results and its own determination of which actions were 

inspector to bypass the engine operation for fragmented 55 appropriate to take. On the first pass through for a given 

packets for which information is found in the fragmentation packet, there will be at least one action to take (even if it is 

cache 670. Thus, when fragmented packets that second or only one action, e.g. to drop the packet without further 

later in the series of fragmented packets are received, this is action); so the first time through, box 840 will lead to box 

detected when the packet inspector 600 checks the fragmen- 850, where the first action is taken, 

tation cache 670. In such a case, the newly received frag- 50 The method then proceeds back to box 830, and this loop 

mentation packet is sent via bypass 675 to the actions 630, is completed until all actions determined by the engine have 

rather than via the engine 610. been taken by the actions module. At this point, box 840 

The learning bridge table 680 allows the screen 340 to act leads to box 860, where the screen 340 determines whether 

as a conventional learning bridge, i.e. to keep track of which there is another packet at one of its input ports (network 

hosts are on which side of the screen, and maintain tables of 65 interfaces). If so, the method begins anew at box 800, and if 

this information as packets arrive from one host or another not, then the method ends at box 870. It may recommence 

at each of the screen's ports (network interfaces). any time a new packet is received. 
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What is claimed is: 

1. A method for inhibiting targeting of an addressless 
screening system coupled between a first computer network 
and a second computer network, including the steps of: 

receiving at the addressless screening system at least one 
data packet directed from the first network to the 
second network, the data packet including a source 
address identifying the first network and a destination 
address identifying the second network, said address- 
less screening system being independent of the first 
computer network; 

inspecting the packet based upon a predetermined crite- 
rion; 

if the predetermined criterion is met, passing the packet 
through to the second network; and 

if the predetermined criterion is not met, then discarding 
the packet while preventing any response by the 
addressless screening system to the first network. 

2. The method of claim 1, wherein the step of inspecting 
based upon predetermined criteria includes the step of 
inspecting at least one of the source address, destination 
address, source port and destination port for the first data 
packet. 

3. The method of claim 1, wherein the step of inspecting 
based upon predetermined criteria includes the step of 
inspecting a type of the requested operation. 

4. The method of claim 1, wherein the step of inspecting 
based upon predetermined criteria includes the step of 
inspecting a state of the connection between a source in the 
first network and a destination in the screening system. 

5. The method of claim 1, wherein the step of inspecting 
based upon predetermined criteria includes the step of 
inspecting the time of day at which the operation is 
requested. 

6. The method of claim 1, wherein the step of inspecting 
based upon predetermined criteria includes the step of 
inspecting whether the source is at an expected network 
location. 

7. A protection system for inhibiting targeting of an 
addressless screening system coupled between a first com- 
puter network and a second computer network, the address- 
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less screening system including a processor, a memory 
coupled to the processor and storing instruction modules 
executable by the processor, a first network interface cou- 
pling the screening system to the first network and a second 
network interface coupling the screening system to the 
second network, said addressless screening system being 
independent of the first network, the protection system 
including: 

a first said module configured for receiving at least one 
data packet directed from the first network to the 
second network, the data packet including a source 
address identifying the first network and a destination 
address identifying the second network; 

a second said module configured for inspecting the packet 
based upon a predetermined criterion; 

a third said module configured for passing the packet 
through to the second network, if the predetermined 
criterion is met; 

a third said module configured for discarding the packet 
while preventing any response by the screening system 
to the first network, if the predetermined criterion is not 
met. 

8. The system of claim 7, wherein said second module is 
further configured for inspecting the packet based upon at 
least one of the source address, destination address, source 
port and destination port for the first data packet. 

9. The system of claim 7, wherein said second module is 
further configured for inspecting the packet based upon a 
type of the requested operation. 

10. The system of claim 7, wherein said second module is 
further configured for inspecting the packet based upon a 
state of the connection between a source in the first network 
and a destination in the screening system. 

11. The system of claim 7, wherein said second module is 
further configured for inspecting the packet based upon the 
time of day at which the operation is requested. 

12. The system of claim 7, wherein said second module is 
further configured for inspecting the packet based upon 
whether the source is at an expected network location. 



04/14/2004, EAST Version: 1.4.1 



UNITED STATES PATENT AND TRADEMARK OFFICE 

CERTIFICATE OF CORRECTION 

PATENT NO. =5,878,321 Page 1 of 3 

DATED : March 2, 1999 

INVENTOR(S) : M. MiyazaW, etal. 

It is certified that error appears in the above-identified patent and that said Letters Patent is hereby 
corrected as shown below: 

Column 17, line 20, after "comprising" insert -means defining-. 

Column 1 7, line 2 1 , delete "a". 

Column 17, line 22, change "onto" to -to-. 

Column 17, line 23, delete "a". 

Column 17, line 24, delete 'the". 

Column 1 7, line 25, delete "a". 

Column 17, line 21, delete 'is constituted by a" and insert -comprises- 
Column 1 7, line 30, change "onto" to -to-. 
Column 17, line 33, delete ^way". 
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UNITED STATES PATENT AND TRADEMARK OFFICE 

CERTIFICATE OF CORRECTION 

PATENT NO. : 5,878,321 Page 2 of 3 

DATED : Marc* 2, 1999 

INVENTORY) : M. Miyazaki, et al. 

It is certified that error appears in the above-identified patent and that said Letters Patent is hereby 
corrected as shown below: 

Column 18, line 2, after "passage" insert —extends-. 

Column 18, line 2, after "upwardly" delete —extends-. 

Column 1 8, line 5, delete "so works that a" and insert —rotate said-* 

Column 1 8, line 6, delete "is rotated". 

Column 18, line 6, delete "where" and insert —in which-. 

Column 18, line 1 1, change "onto" to —to—. 

Column 18, line 14, after "then" insert -rotates-. 

Column 18, line 14, delete "are". 

Column 18, line 15, delete "rotated". 
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UNITED STATES PATENT AND TRADEMARK OFFICE 

CERTIFICATE OF CORRECTION 

PATENT NO. : 5,878,321 Page 3 of 3 

DATED : March 2. 1999 

INVENTOR(S) : M. Mlyazaki, etal. 

It is certified that error appears in the above-identified patent and that said Letters Patent is hereby 
corrected as shown below: 



Column 18, line 19, change "onto" to -to-. 

Column 18, line 23, after "then" insert -rotates-. 

Column 18, line 24, after "rollers" delete "are rotated". 

Column 18, line 27, delete "wherein" and insert -further comprising- 

Column 18, line 27, delete "is". 

Column 18, line 29, after "," insert -and wherein-. 
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